The Government's Bad Move: Ordering Apple to Hack iPhone Security

By Jeff Gamet

Feb 17th, 2016 4:22 PM EST

A Federal Judge has ordered Apple to create a security weakness in iOS so FBI agents can launch a brute force attack on the passcode from an iPhone used by one of last year's San Bernardino shooters. The FBI says their scheme would be a one-off thing, but Apple says it'll open a hole that greatly reduces the security and privacy protections built into our iOS devices, and he's right.

A Federal court says Apple has to make a hackable version of iOS for the FBI

Syed Rizwan Farook and Tashfeen Malik opened fire during a San Bernardino County Department of Public Health party on December 2, 2015, killing 14 people and injuring 22 more. They were tracked down later that day by FBI agents and killed in a shootout, who then recovered their iPhones.

The FBI asked Apple to give them access to the encrypted data on one of the iPhones, which isn't possible because the security system built into the device was designed so Apple can't do exactly what the FBI was asking. The FBI characterized Apple's response as declining to voluntarily provide access to the device and took their fight to Federal Court in a move to force the company to do the impossible.

What the FBI has asked for now, and the court agreed, is for Apple to put together a special version of iOS that bypasses the built-in data wipe feature users can enable (and presumably the domestic terrorists in this case did), and turn off the failed login attempt delay. That gives the FBI the ability to use a brute force attack to find the iPhone's passcode without risk of losing the data it contains.

The way the FBI plans to accomplish this was detailed in the court order:

Apple's reasonable technical assistance may include, but is not limited to: providing the FBI with a signed iPhone Software file, recovery bundle, or other Software Image File ("SIF") that can be loaded onto the SUBJECT DEVICE. The SIF will load and run from Random Access Memory and will not modify the iOS on the actual phone, the user data partition or system partition on the device's flash memory. The SIF will be coded by Apple with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE. The SIF will be loaded via Device Firmware Upgrade ("DFU") mode, recovery mode, or other applicable mode available to the FBI.

The FBI's assertion that they want Apple to introduce a security hole in just one iPhone sounds nice, but the reality is once the security-weakened version of iOS is created, the door is open for serious abuse. It also opens a door where other governments could demand Apple unlock iPhones for them, or had over the FBI-mandated iOS for their own use.

Next up: Apple fights back

FBI Court Order: Apple Fights Back

Apple CEO Tim Cook took his argument against the court order public with an open letter on the company's website. His message is strong, but in typical Tim Cook fashion, it's also well thought out.

Apple CEO Tim Cook speaking at a cyber security summit

"The FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation," Mr. Cook said. "In the wrong hands, this software—which does not exist today—would have the potential to unlock any iPhone in someone's physical possession."

Mr. Cook went on to shoot down the FBI's claim this is something that could be used only once. He said,

The government suggests this tool could only be used once, on one phone. But that's simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks—from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

Apple is challenging the court order calling it "an overreach by the U.S. government."

That said, Apple could have a hard fight ahead. The court order also says Apple can install the modified operating system in their own facility and give the FBI remote access to the iPhone. That would go a long way towards addressing potential concerns a judge may have, and ultimately that may be all that matters: appeasing a judge's concerns.

The Electronic Frontier Foundation is openly siding with Apple and echoing what Mr. Cook said.

"For the first time, the government is requesting Apple write brand new code that eliminates key features of iPhone security—security features that protect us all," the rights group said in a statement. "Essentially, the government is asking Apple to create a master key so that it can open a single phone. And once that master key is created, we're certain that our government will ask for it again and again, for other phones, and turn this power against any software or device that has the audacity to offer strong security."

Next up: Forcing Apple to Hack Our Privacy

Forcing Apple to Hack Our Privacy

From a technical standpoint, Apple could develop a special version of iOS that doesn't include the security measures we see today, but that doesn't mean they should. Intentionally introducing a major security flaw into the operating system is a one way path: once it's done, there isn't any going back. Our iPhones and iPads will be secure in name only, and every government will demand access for their own uses.

Once governments have the ability to break into our iPhones, they'll also have the means to turn our smartphones into surveillance devices tracking our location, listening in on our conversations, intercepting text and email messages, accessing personal data, and more. Mr. Cook also pointed out the very real possibility that the government could compel Apple to write code to do just that, and even access our iPhone cameras and microphones without our knowledge or consent.

The FBI is using the court system to force weaker iPhone security

The American Civil Liberties Union sees a big problem with the FBI's court order, as well. "This is an unprecedented, unwise, and unlawful move by the government," said ACLU staff attorney Alex Abdo. "The Constitution does not permit the government to force companies to hack into their customers' devices."

Apple has committed to fight this court order, and we can take steps to help keep our iPhones safe from prying eyes—whether they're from the government that's supposed to protect us, from criminals, or hackers.

Make sure you use a passcode on your iOS device. If you aren't go to Settings > Touch ID & Passcode > Turn Passcode On. iOS 9 defaults to six-digit passcodes, but if you've set device to use four-digit codes instead you can change back and Melissa Holt has a great tip explaining how. If you want an even more complex passcode, check out Kelly Guimont's awesome how-to.

Why would you want a longer passcode, you ask? It takes only a few hours to run though all four-digit combinations, and once done your iPhone or iPad passcode is in the hands of the government, criminals, or hackers. Using a six-digit passcode, or a more complex code that uses letters and numbers, it'll take years at a minimum—and possibly lifetimes—to crack your code.

Set your iOS device to erase all data after ten failed login attempts. You can find that at Settings > Touch ID & Passcode > Erase Data. True, the FBI's court order says Apple has to make an iOS version that ignores the feature, but that's no reason to make potential hacker's lives easier.

Apple has five days to respond to the court order, and Mr. Cook's open letter was just the first salvo from the company. It's legal response is no doubt coming very soon, and it's clear the company is going to fight this tooth and nail.

Privacy and security lost can't be regained, and that is what's about to happen. Apple needs to fight this court order, and other tech companies need to openly oppose it or face similar court orders for their products. This is about more than finding the messages and photos on a domestic terrorist's iPhone; it's about fundamentally eroding our privacy and digital security.

The EFF says it'll file an amicus, or friend of the court, brief on Apple's behalf. Hopefully other companies will follow suit and this overreaching court order will be overturned.